Embed Size (px)
DESCRIPTION
Citation preview
The importance of LOG FILES
Rotariu Dan-AndreiWeb Developer @ TOSS Romania
What is a Log?
According to Merriam-Webster’s Dictionary the definition of a log is:“A record, as of the performance of a machine or the progress of an undertaking: a computer log; a trip log. “
Purpose of a log: If a log has the capability to record the W5 events, then the purpose of a log is to give security professionals the ability to monitor the activities of the application or device to ensure expected or normal operations.
who
what
why
when
where
…an event occurred.W5
Why are logs so cryptic?
Because a log can be generated by any device or application, the developers of that device or application will determine how the output should be formatted and exactly what content will be released to the logging processes.
If the developer is only interested in knowing “when” an application or device fails, and wants to know exactly “where” in the code the failure occurred, then the log output will most likely not show you the “who, what, or why” that caused the failure to occur. This leaves you trying to guess or piece several pieces of the log together to find those answers.
As a result, it seems that two strong standards have emerged in the computer industry for the more popular UNIX and Windows environments.
Syslog is a logging system that has been standardized so that any flavor of UNIX operating system will output the same log format that can be displayed or output to standardized log files.
Windows NT operating systems support the Eventlog format, and all events output to a standardized event log format.
Six Mistakes of Log Management
1. Not logging at all
2. Not looking at the logs
3. Storing logs for too short a time
4. Prioritizing the log records before collection
5. Ignoring the logs from applications
6. Only looking at what you know is bad
The Threat
Another type of logs are the everyday messages.
I think that everybody has a
FacebookYahooGoogleSkypeMSNTwitter
And the list goes on and on.What do all of these have in common? They keep track of all of your activities over their services.
On facebook, you have the timeline,Yahoo stores the messenger chat on their servers
I think that you get my point.. They want to be safe, and at the same time they want you to keep track of your actions while using their services.
HOW TO UNDERSTAND THE LOGS?
If a certain individual wants to understand a log file:he has a 50% chance of succeeding
or
just FAILING in a very shameful way :D
To be more accurate let's analyse together a log file.
How do logs help?
Benefits:
- logs provide clues about performance issues, application function problems, intrusion and attack attempts etc
- Logs provide vital inputs for managing computer security incidents,
- When responding to computer incidents, logs provide leads to activities performed over the system.
- Facilitate cyber crime investigations:* Determine the activity* Determine the origin of the attack
LOG FORMATSSome of the questions that might come in your mind are:
Do logs have a specific format?How are they built?
To be able to answer such questions, we have to be able to read/understand a log correctly:
What is the source?The log source can be absolutely everything: starting with
a web-server, going all the way to a industrial level where we have huge amounts of data in a single day.
INSTEAD OF CONCLUSION
'Till then STAY SAFE and keep good track of your logs!
And to properly end this,
What do you think of a project that could log on a very large scale everything ?
The concept is very simple, but requires some adjustments:What if you could see in real time what the victim types?How can this be done?
For the moment it's in development as my undergraduate license project.
I hope that by the time the next DefCamp edition takes place I shall have a functional version of the project.
refference
• http://www.infosecwriters.com• http://www.computerweekly.com/blogs/stuart_king/• http://www.sans.org/reading_room/whitepapers/logging/• http://chuvakin.blogspot.ro/2010/09/on-free-log-management-
tools.html• http://andyitguy.blogspot.ro/• http://www.iitg.ernet.in/cse/ISEA/isea_PPT/ISEA_02_09
